PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Skype -> upnp AddPortMapping port 4444?!

From: nbaronian at gmail.com (Nick Baronian)
Date: Thu, 2 Apr 2009 09:18:51 -0400
I am not sure which rule that is and if this helps but I have had decent
success in using an old Bleeding Edge rule to detect Skype.  According to
the author it shouldn't detect newer versions but I recall I was still
successful in detecting newer versions of Skype with it, even the
MySpace/Skype IM client.  I never fully verified which versions of
everything though.
http://marc.info/?l=snort-sigs&m=111396037710323&w=1


On Thu, Apr 2, 2009 at 7:42 AM, Raffi Jamgotchian
<raffi at flossyourmind.com>wrote:


It does use upnp by default. They use their own implementation of it

----
Raffi

On Apr 2, 2009, at 3:16 AM, Michel Lundell <michel at moose.se> wrote:


Hi l33t folks!

Does skype add a external port using upnp?
(and to the port 4444!!!?)
The port number seemes familiar ,o), also the AddPortMapping ...

This is a incident right? or does skype do this on the windows
platform?
Cant detect this behaviour on a linux box...

Scanned the router, but nmap did not detect any open port, so it may
failed or was closed when I performed the scan... maybe it failed?

I have not permission to access the router config yet....

/M

#(26 - 8149) [2009-03-30 07:38:46] [local/100021] [snort/1:100021]
to router traffic alert
IPv4: 192.168.1.2 -> 192.168.0.254
     hlen=5 TOS=0 dlen=903 ID=16342 flags=0 offset=0 TTL=128
chksum=13386
TCP:  port=61432 -> dport: 4444  flags=***AP*** seq=1705820595
     ack=1383450833 off=5 res=0 win=64240 urp=0 chksum=15790
Payload: POST /wipconn HTTP/1.0<DIV class="nonascii">[2 non-ASCII
characters]</DIV>Host: 192.168.0.254:4444<DIV class="nonascii">[2
non-ASCII characters]</DIV>Content-Type: text/xml;
charset="utf-8"<DIV class="nonascii">[2 non-ASCII characters]</
DIV>SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:
1#AddPortMapping"<DIV class="nonascii">[2 non-ASCII characters]</
DIV>Connection: close<DIV class="nonascii">[2 non-ASCII characters]</
DIV>Content-Length: 653<DIV class="nonascii">[4 non-ASCII
characters]</DIV><?xml version="1.0" encoding="utf-8"?><DIV
class="nonascii">[2 non-ASCII characters]</DIV><s:Envelope xmlns:s="

http://schemas.xmlsoap.org/soap/envelope/

" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><DIV
class="nonascii">[2 non-ASCII characters]</
DIV><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-
org:service:WANIPConnection:1"><DIV class="nonascii">[2 non-ASCII
characters]</DIV><NewRemoteHost></NewRemoteHost><DIV
class="nonascii">[2 non-ASCII characters]</
DIV><NewExternalPort>6895</NewExternalPort><DIV class="nonascii">[2
non-ASCII characters]</DIV><NewProtocol>TCP</NewProtocol><DIV
class="nonascii">[2 non-ASCII characters]</
DIV><NewInternalPort>6895</NewInternalPort><DIV class="nonascii">[2
non-ASCII characters]</DIV><NewInternalClient>192.168.1.2</
NewInternalClient><DIV class="nonascii">[2 non-ASCII characters]</
DIV><NewEnabled>1</NewEnabled><DIV class="nonascii">[2 non-ASCII
characters]</DIV><NewPortMappingDescription>Skype TCP at
192.168.1.2:6895 (819)</NewPortMappingDescription><DIV
class="nonascii">[2 non-ASCII characters]</DIV><NewLeaseDuration>0</
NewLeaseDuration><DIV class="nonascii">[2 non-ASCII characters]</
DIV></u:AddPortMapping></s:Body></s:Envelope><br><br>



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090402/55978894/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: